Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Ideas

Stuff I have been thinking about. General Linux stuff, personal stuff, Arch Linux stuff.

Extend kernel PCR with cmdline

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f046fff8bc4c

The kernel doesn't checksum the cmdline which would be practical when we are already doing the vmlinuz image

efibootctl

Rewrite efibootmgr in go with go-uefi and improve usability.

pacman-ostree

Move pacman DbPath to /usr. https://lwn.net/Articles/881107/

mkinitcpio

Autohooks idead

Some way to do the correct thing. From IRC discussion.

QHOOKS is filled for a maximum initramfs by default; that could be because we ship a Q/etc/mkinitcpio.conf with a maximum QHOOKS; or because we ship a Q/etc/mkinitcpio.conf without any QHOOKS defined, we parse some config in Q/usr first and there's no QHOOKS in Q/etc/mkinitcpio.conf to override it QAUTODETECT is also enabled by default, making hooks do nothing if they detect they wouldn't apply to the current system so by default we generate an initramfs that can handle the current system only Qmkinitcpio --no-auto or whatever can be used to generate an initramfs for another system

Kernel module signing

Just generally; how do we solve this without getting tied to a MOK?

Witness logs

https://github.com/google/trillian-examples/tree/master/witness

  • kernel.org monitor
  • lvfs monitor

sop-tpm

Write a SOP frontend that stored keys inside TPMs. Probably needs a yolo section to store private and public blob.

https://www.openpgp.org/about/sop/

ssh-agent-age

An extension to the ssh-agent protocol that supports file encryption through the agent. This can be used with age and implemented into yubikey-agent as well.

SSH agent restriction

ssh-agent-tpm and /x/crypto/ssh/agent probably needs support for "SSH agent restriction". This could either be implemented into the x/crypto library or an independant thing?

https://www.openssh.org/agent-restrict.html

ssh-agent-proxy

A binary to chain together proxies. ssh-agent-proxy -a ssh-agent-1.sock -a ssh-agent-2.sock

Maybe we could delegate extensions as well?

ssh-agent-p11

A pkcs11.so module for communicating signature requests towards an SSH agent.

kernel-install

Need to figure out how we integrate kernel-install properly into Arch Linux. I'm wondering if having a drop-in with NoExtract into /etc/pacman.conf.d/*.conf would be a good idea to ensure we don't install libalpm hooks for kernel installation?